The term firewall conventionally designates either a unit dedicated to the firewall function or a logic system integrated into a unit having functions other than those of a firewall, for example software integrated into a computer. The firewall is intended to make a network secure by filtering data coming from an external network before transmitting it to the secure network.
The firewall decides whether to transmit data or not as a function of particular security criteria.
Conventionally, it has a first interface for communicating with units of the external network and a second interface for communicating with units of the secure network. To be more precise, the first interface receives and analyses data streams coming from the external network. The firewall then decides whether to authorize data received from the external network for transmitting to the secure network on the basis of that analysis and as a function of security criteria.
A firewall can use several types of filtering for this purpose. Whatever type of filtering the firewall uses, it provides some isolation between the secure network and the outside world.
If data conforms to the security criteria, the second interface transmits it to the security network.
If the external network is an Internet Protocol (IP) network, the data to be transmitted to the security network consists of IP packets. Subsequent references to this kind of external network are for illustration only and are not limiting on the scope of the invention.
For security reasons that are familiar to the person skilled in the art, the firewall is generally not authorized to modify an IP packet to be transmitted to the secure network.
Because of this, one problem in this field is transmitting information additional to the IP packet without degrading the level of security that the firewall offers the units of the secure network.
Now, in certain cases, it may be highly advantageous, and even of fundamental importance, to add to the packet to be transmitted information that is available to the firewall and that might be useful in the secure network.
In a conventional network architecture, the firewall transmits an authorized packet to the secure network through the intermediary of a secure network unit responsible for routing authorized packets in the secure network and known as a router. For example, in this kind of architecture, additional information available to the firewall may assist the router to route IP packets efficiently and correctly in the secure network. Several ways to supply the router with such additional information may readily be envisaged.
A first way is for the router to obtain the information available to the firewall from data received in the packet. However, the performance of the router may be degraded if obtaining this information requires complex and costly computation.
Another way is for the information available to the firewall to be transmitted directly to the router in the packet. However, by intrusively modifying the IP packet, this kind of manipulation might be hazardous to the secure network and might degrade the level of protection offered by the firewall.
A third way is for a protocol layer to be added to transmit the additional information from the firewall to the router. However, a new protocol layer implies costly and complex modifications to the units responsible for transporting the additional information.